(s//si//rel) What Your 

Mother Never Told 
You About SIGDEV 
Analysis^^^^^^^ 

SSG21 Net Pursuit 
Network Analysis Center 



Derived From: NSA/CSSM 1-52 
Dated: 20070108 
Declassify On: 20370401 




(U//FOUO) What have I learned in 
my first two years in 



(U//FOUO) Iffiphttant to understand the data that 
you are searching against 



(S//SI//REL) Important to understand the hidden 
treasures and nuances in various SIGDEV tools 



(U//FOUO) Nothing is 100%: there are always 
exceptions to the tools and the rules 

(S//SI//REL) Took a network view of VPNs 



— - 

(TS//SI//REL) What Makes 
SIGDEV Analysis Challenging? 

(U//FOUO) Requires knowledge of 

^ (s//si//rel) Access and collection 
^ (s//si//rel) Network protocols 
" (s//si//rel) Routing 
" (ts//si//rel) Encryption 
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(U//FOUO) Challenges etc.... 



(TS//SI//REL) Technical jargon and abbreviations 
^ IPSEC 
^ IKE 
=* MPLS 
=* PSK 
=* PPTP 
=* L2TP 
^ GRE 

Cisco commands 



(TS//SI//REL)Challenges etc. 



(S//SI//REL) Tools 

=■ How to use them 

^ Knowing that they exist 

31 Multiple query languages 
=■ SQL for TOYGRIPPE 

= Oracle Text Query in DISCOROUTE 
=■ Quantity 



(U//FOUO) Tools 

DISCOROUTE 
BLACKPEARL 
^ TOYGRIPPE 
GNETWORK GNOME 
=* NKB & RONIN 
XKEYSCORE 
TREASUREMAP 
=• RENOIR 
....and more.... 



TOP SECRET//COMINT//REL TO 



., AUS, CAN, GBR, NZL 




'TS//SI//RED Building Network 

BLACKPE^CKPEA^ now|edge 



TOYGRIPPlP YGRIPPE 



XKEYSCO^ EYSCORE 



Maximize the overlap of the tools for 

success 





(S//SI//REL) 

DISCOROUTE 

NAC's router configuration database 
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(U//FOUO) DISCOROUTE 



(C) NAC project to acquire, parse, database 
and display configuration files from network 
devices 

(C) Allows analysts to mine device configs for 
SIGDEV discovery 

Router configs are a rich source 

Qjf 

network and VPN information 




(S//SI//REL) DISCOROUTE 



^fs^>l?/REL) All IPs are^mportant because they all 
belong to a device and they all have a purpose in 
the network 



(S//SI//REL) Search for 
Endpoint IPs 
Loopback IPs 

Opposite end of a point-to-point connection 

IPs found in pings and telnets 

(S//SI//REL) Make note of the source and 
destination IPs of the config 



(U//FOUO) DISCOROUTE 

(U//FOUO) Cou parches 

(U//FOUO) IP Search 



(U//FOUO) Text Query 
(TS//SI//REL) Manifest Tag Selection 
K - Crypto Keys 
^ H - TAO Pop 
M - Multihop 
(S//SI//REL) VPN report 



(S//SI//REL) DISCOROUTE: Country 

Search 

(S//SI//REL) IPGeo lookup on every IP address 
that is parsed 

(S//SI//REL) Configs with only private IPs will 
not show up in the results of a country search 




(s//si//rel) DISCOROUTE: Searching for IP 

(S//SI//REL) TextAtiery 10 

=* searches through the payload 

=* If you only search using this field, then you will miss 
=* configs that have your IPs of interest as the source and 
destination address 

=* configs where your IP falls within the range of the interface mask 

(S//SI//REL) IP address field search 

=* searches through the parsed file 

=* If you only search using this field, then you will miss configs with 
your IPs of interest in pings, telnets, arp commands 



^fS//5^/REd DISCOROUTE Search IFeb 

to 13 Apr: 



(S//SI//REL) 




in the payload 



=■ 3 results 

(S//SI//REL) IP Address Search: searching for the IP in the 
parsed file 

=■ Exact IP search 
=■ De-duped by most recent 

=■ 28 results (27 had as the source IP) 

(S//SI//REL) Somalia Country search: 66 results 
(12 of those had a source IP 



(S//SI//REL) Difference: IP was the source IP for configs more 
times than it occurred in the payload data 





(s//si//rel) Why fewer configs for 

' n the country 

search? 

=■ (S//SI//REL) 12 as opposed to 27 

^ (S//SI//REL) Geo location 
was Hong Kong for a period of time 

(S//SI//REL) Geo is assigned to router configs 
at the time of ingest and not changed if the IP 
location is corrected 




(S//SWREL) Data Found in a Text Query: 

etwork IPs in a Huawei Config 



Current total sessions : 19 

udp VPN: public -> public I 





Inner IPs 





(s//si//rel) DISCO ROUTE 



(TS//SI//REL 





the router 



(S//SI//REL) M - multihop router. The admin telnetted 
into a router and then telnetted again to another 
device. Potential goldmine of information about your 
network, but be careful when looking through them to 
make sure you are associating an IP with the correct 
device. 



(TS//SI//REL) K - crypto keys 



(s//si//rel) VPNs in Router 
Configs 

(ts//si//rel) DISCOROUTE sets manifest tags to 
'K' for configs with crypto information 

(s//si//rel) Separate parsers developed for each 
vendor to pull out the endpoints and the pre- 
shared keys 

^ Cisco 
Huawei 
Juniper 



^ > 

^s/zswpiel) VPN Information in a Cisco 

(S//SI//REL) Endpoint (EOFffkfJand Description Fields 

crypto isakmp key VpnsAreCool address 
crypto map VPNS-ROCK 10 ipsec-isakmp 

interface Tunnell 

description Tunnel TO theStars 
bandwidth 512 
address 

ip tcp adjust-mss 1350 
load-interval 30 keepalive 5 2 
tunnel source 
tunnel destination 
crypto map VPNS-ROCK 
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(s//si//rel) VPN Information in a 

(S//SI//REL) Netstri^^U^rrpyes>^JYJVIP Community & 



Domain Names 



Username deb privilege 5 password 7 
082C495A0C1617 



snmp-server community dancer RW 70 
snmp-server community tangosnmp RW 60 



ip domain name lifesabeach 




s//si//rel) VPN Information in a 



# ike proposal 60 authentication-a 

# ike peer e — More — .[42D .[42 1 
exchange-mode aggressive pre-shared-key GoHokies 
ike-proposal 60 

undo version 2 
local-id-type name 
remote-name svn 
remote-address 

remote-address authentication-address 
nat traversal 

# ipsec proposal GoHokies 

# ipsec policy helloworld 60 isakmp 
security acl 3060 

ike-peer proposal GoHokies 

# interface Virtual-Templatel — More — -.[42D .[42D 
ip address 

remote address pool 1 

# interface GigabitEthernet0/0/0 

# interface GigabitEthernet0/0/l 
description GigabitEthernet0/0/l Interface 

a ress 

ipsec policy helloworld 



Htiawei Config 









(s//si//rel) VPN Information in a Juniper 
Config 

set ike gateway "BadguyVPN" address Main outgoing-interface "untrust" preshare 
"xGe7YOYfNx3DNGsp4GCq+fgCdondsCBQtVwo/3YfCvbR7zJyDUewVD4=" proposal "pre-g2-3des-sha" "pre-g2- 
3des-md5" 

set ike gateway "BadguyVPN" cert peer-ca all 

set ike gateway "BadguyVPN Backup" address Main outgoing-interface "untrust" preshare 
"YWZpKbUvNGQvCbsiXdCwv3pxRDnl_EAxo9877SfJFLBgg9utCdSyYPPI = " proposal "pre-g2-3des-sha" "pre-g2- 
3des-md5" 

set ike gateway "To Mouse" address Main outgoing-interface "untrust" preshare 
"fn3VG5ElNI + amHsDeyChciqYVHnuTsbj4w= = " proposal "pre-g2-3des-sha" 

set ike respond-bad-spi 1 

set vpn "BadguyVPN" gateway "BadguyVPN" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha" 
set vpn "BadguyVPN" monitor optimized rekey 
set vpn "BadguyVPN" id 5 bind interface tunnel. 3 

set vpn "backup BadguyVPN" gateway "BadguyVPN Backup" no-replay tunnel idletime 0 proposal "nopfs-esp- 
3des-sha" "nopfs-esp-3des-sha" "nopfs-esp-3des-sha" "nopfs-esp-3des-md5" 

set vpn "backup BadguyVPN" monitor optimized rekey 

set vpn "backup BadguyVPN" id 4 bind interface tunnel. 1 

set vpn "From Rat" gateway "To Mouse" no-replay tunnel idletime 0 proposal "nopfs-esp-des-md5" 
set vpn "From Rat" monitor optimized rekey 
set vpn "From Rat" id 6 bind interface tunnel. 2 
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(s//si//rel) VPN Report Search 



(S//SI//REL) Some of the fi 




hat you can search 



in... 

=■ Country 
IP Address 

SIGAD/Case Notation 
^ Descriptions: crypto map and interface 
=■ Netstrings: Username, Domain Name 
=■ Pre-shared keys 
=■ Device Hostname 
^TAO Project Name 



i f i j.1 *1 a 4 r/i«(»] a 1 1 si m ai m ii : wn n :<j] 







(S//SI//REL) DISCOROUTE VPN 




RUWi 



Query Reports 



VPN Report Form 
y Query || Results 



"Click to 

Network Mgmt Query Wiki Feedback 




n rf 

aster text sty 




NKB HOME 



Second levet 



Route Reports 



Date 1 1 1 1 1 VJ 1 V— V V*- 1 


IP Address 


2012-03-14 OOlOOlOtf’ pQJJ ^ |^j | 0 0 | 

End Date: 2012-04-13 23:59:59 

® DOI O Load Date O Entire Database Fifth IGVGI 


IP Address: 

(1.2. 3. 4) 

□ Tunnel Source □ VPN Source 

□ Tunnel Dest □ VPN Remote 

□ Interface 



Hostname: 

SIGAD: 

Case: 

Country: 

TAO Project Name & : 
Session ID: 



Pre-Shared Keys: 
Snmp Community: 
Interface Descr: 
Crypto Descr: 
Username: 
Domain Name: 



Generate Report Generate Report in New Window Clear Panel 



Powered by the SIGDEV Lab 
Version Number: 2.17 New! 

|\| Af Last Modified Date: March 28 , 2012 

Last Reviewed D.’'*’*' - 00 

Content Steward! 

Page Publisher: j 
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Session ID: 1332289408998 



Hostname Vendor 


Sigad 


Case Notation 


Collection Source 


Country TAO Project 


TAO Pop 


IBL_Baghdad_Router cisco 


USJ-759A 


E9BDJ00000M0000 


XKeyscore 


[lb 


No 



Interfaces 



Interface ID 




Network Mask Description 


LoopbackO 




255,255,255,255 Voice traffic 


FastEthernetO/O 




255.255,255.240 Connected To ASA/Firewaii | 


FastEthernetO/1 




255.255.255,248 Connected To 2MB DSL 


Serial0/l/0 




255.255,255.240 Connected To DVB 



Tunnels 



ID Source Pest Description 

Tunnell H - .^BTunnel TO Beirut 

[ Tunnell B; - ; '' .HTunnel TO Beirut 



VPN Peers 

ID Router IP 

jSerialQ/1/0 
Tunnell 
Serial0/l/0 
Tunnell 
Serial0/l/0 

Tunnell 

Serial0/l/0 
Tunnell 




VPN Type 


PSKs 


Description 


lipsec 


(iblBaghdad 




lipsec 


IblvoiceVpn 




lipsec 


IblBaghdad 




lipsec 


IblvoiceVpn 




lipsec 


IblBaghdad 




ipsec 


IblvoiceVpn 




lipsec 


IblBaghdad 




|ipsec 


IblvoiceVpn 
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(s//si//rel) VPN Report 

L) Use the VPN report as a start but not as the 
final answer for VPNs from a country or a SIGAD 

(C) Query in different ways to make sure you get as much 
of the data as possible 



(TS//SI//REL) Depending on your scenario you may want to 
start with a country search, an IP range or a descriptive 
term 



VPN Peers Section contains the 
endpoint IPs for your VPN which 
can be entered into TOYGRIPPE 




(S//SI//REL) Description &Net Strings 
Searches 

(s//si//rel) Suppose you do a general VPN report 
query 

Search by country 
Search by SIGAD 
(s//si//rel) Find a VPN of interest 

(s//si//rel) Analyze the NetStrings and the 
description fields 



(S//SI//REL) NetStrings 




n(S7/5l//KEL) Do “a follow-on VPN report using a 
netstring specific to your network 

Snmp community string: pegasus 
Domain name: badguy.com 
Username 



=* (S//SI//REL) Search ROYALNET 

Analytics to find other netstrings related to your 
target 

Analytics to find links likely to carry your 
target's communications 




(U//FOUO) 

BLACKPEARL 



(S//SI//REL) NAC tool enabling automated DNI link and 
network characterization against survey collection 
across the SIGINT system 
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(S//SI//REL) BLACKPEARL 




ral Query 
(S//SI//REL) Customized reports 
"'VPN report 
DNI Access Essentials 
MPLS report 
Five Tuple Report 



(S//SI//REL) BLACKPEARL IP 

Interface IPs 
Loopback IPs 

Source or destination IPs of the router config 
file 

Inner network IPs 
Analyze other IPs on the link 




(U//FOUO) BLACKPEARL 



(S//SI//REL) Search 'All traffic' and include 
subchannels and tunnels if no results found 
under limited search 

(S//SI//REL) If link is identified as MPLS then 
look at the other IPs in inner labels, if present 

=• (S//SI//REL) Use BLACKPEARL for finding 
access and gathering information on your 
network 



(s//si//rel) Search for Inner 
Tunneled IPs 

(s//si//rel) Query BLACKPEARL with an endpoint 
IP 

Find other tunneled IPs - inner network IPs that 
you can do follow on searches 

(s//si//rel) Query DISCOROUTE with any new IPs 
found 

(ts//si//rel) Success: Discovered information on 
Somalia's Hormuud network 



(TS7/SI//REL) Example: Hormuud 
Network 

(S//SI//REL) Began with loopback IPs from a 
spreadsheet 

(S//SI//REL) Found configs for 2 of the 12 
loopbacks in a text query in DISCOROUTE 

and were in the payload 

but not parsed 

(S//SI//REL) Took the IPs from those configs 
and found other configs, one with hostname 
'LNS' 






(U) Example 




KPEARL hit on LNS IP 



^ Inner IPs in L2TP tunnels 

DR search for inner IPs from the L2TP tunnels 
and found more configs 

(U//FOUO) Many of the configs were multi-hop 
^ (S//SI//REL) Information compiled forTAO 
~400 IPs for over 50 devices 




T57/SI//REL) BLACKPEARL Search 




L2TP tunnel 
Number of Five Tuples 



r* i i 

: 1 I I Vl^lNttallpUkelsr 




^s|ina^^l|essg | 



# 


Source Address 


Dest Address 


Source Port 


Dest Port 


Next Protocol 


% Packets 


# Pad 


1 






m |p\/p| * 


4527 


TCP (6) 


100.0 


43 



L2TP tunnel 

Number of Five Tuples: 6 






and Destination Address 



Source Address 




Dest Address 




Source Port 

level 
level 





Dest Port 


Next Protocol 


% Packets 


# Pad 


9101 


53771 


TCP (6) 


67.2 


39 


6006 


53779 


TCP (6) 


8.6 


5 


6000 


53059 


TCP (6) 


6.0 


'I 


6006 


53783 


TCP (6) 


6.9 


4 


6000 


53778 


TCP (6) 


5.2 


3 


6000 


53782 


TCP (6) 


5.2 


3 



L2TP tunnel 

Number of Five Tuples: 2 
# 

1 

2 



Source Address = 
24 total packets 



land Destination Address = 



Source Address 


Dest Address 


Source Port 


Dest Port 


Next Protocol 


% Packets 




23 

23 



3078 

30BO 



TCP (6) 
TCP (6) 



83.3 

16.7 



# Pad 

20 

4 



Content Steward:! 



General Support: Contact the Mission Support Team| 



Contact Us 



s iicuR, 
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"iStfstf/REL) BLACKPEARL MPLS 



7938 2SS 

♦ luplo List (label stork 1046418, 7938): 

7211 2SS 

♦ luplo List (label stack 1046418, 7211): 

6660 2SS 

♦ luplo List (label stock 1046418, 6660): 

6306 2SS 

Tuple List (label stack 1046418, 6306): 



Source Address 


Dest Address 


Protocol 

Number 


Pkt Count 



1 of 1 

7180 2SS 

Tuple List (label stack 1046418, 7180): 

8120 2SS 

Tuple List (label stack 1046418, 8120): 

631S 2SS 

Tuple List (label stack 1046418, 6315): 



Source Address 


Dest Address 


Protocol 

Number 


Pkt Count 





4 of 4 

670S 



2SS 



Ft**: 1046416 



* Tunln I 1st f label stark 1046418. 6705 V 

♦ tte>t '# 0rewus ► ' ►Sgffcjht al □ c«se 
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(U//FOUO) TOYGRIPPE 



(S//SI//REL) VPN Metadata Repository 
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(S//SI//REL)Building VPN Network 
Knowledge 

(S//SI//REL)VPNs are part of a larger network 

(S//SI//REL)lnner or tunneled IPs are a peek 
inside the target's network 

(S//SI//REL)Beneficial to look beyond the 
endpoints of your VPN 

(S//SI//REL)Combine information from as many 
SIGDEV databases as you can 




(U/FOUO) TOYGRIPPE 




ch 3 months at a time 



(U//FOUO) Keep going back in time if no results 
found 



(S//SI//REL) Take endpoint IPs found here and 
search in 

DISCOROUTE -- device information 
BLACKPEARL-- inner tunneled IPs 
(S//SI//REL) Country report 



(U//FOUO) T OY GRIPPE 




note of other connections to the 
IP of interest and search for them separately 

(S//SI//REL) You might not find what you are looking 
for, but it still may be important 

(S//SI//REL) Convert the target domain name to 
hex and search for it in the idData field 



^ badguy.com D 6261646775792e636f6d 
(idData LIKE '%6261646775792e636f6d') 



(U//FOUO) Endpoint IP 




separately 



)Query each IP in TOYGRIPPE 



Try to determine the importance of the 
connections 



Note other VPN connections: all IPs are 
important until proven otherwise 



(TS//SI//REL)Success: Discovered Iranian 
corporate intranet 



(S//SI//REL) Building a VPN 

Intranet: 



Izmir 



S^rching back through 

Jti “Malaysia 

toygripb£ 



Istanbul <- 




Ankara \ k & AI1 , 

i:l-l..| All branches of the same company. 
Hub was in Tehran. 




Armenia 



Tehran 



South Korea 
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. ^ 

(s/ 7 ^i//rel) Finding Suspicious VPN 

Connections 




Izmir L:|,:| ^ 



Istanbul <- 





Ankara i •„[■> ^ 




Malaysia 



:.i -i i Armenia 

„l»«* | ■ 1 ^ 



South Korea 



(TS//SI//REL)Two connections outside the target company 
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(S//SI//REL) Discovery of a Data 

Center 
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TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 




(S//si//rel) Discovery of a Data 



Center 





-> 



...and when I 
search in TOY 



did a follow on 
oRIPPE for IP C. 



IF 



...I onl/ found it only established 
VPN connections to IP A 



Later discovered that IP C belonged to a data center in 

another country 




TOP SECRET//COMIN 





(S//SI//REL) Search for other 
end of the point-to-point 

(S//SI//REL) Wha(T0\f^^r|a0ready )i|3^e VPN endpoints 
from a GNOME report or a TOYGRIPPE search 

(S//SI//REL) Search for that IP in the DISCOROUTE 
VPN report GUI - you don't find it 

(S//SI//REL) Try to search for the other end of what 
would be a point-to-point connection in DISCOROUTE 
to find the customer edge router 

(S//SI//REL) END GOAL: find more information about 
the network 
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(S//SI//REL) Customer Edge 
Routers 





(U//FOUO) 



NKB and 



RON1N 

(S//SI//REL) NKB is NSA's Network Knowledge Base 
delivering target communications' DNI and 
enrichment data 



(S//SI//REL) RONIN is a device characterization 
database and one of the enrichments to NKB 
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(U//FOUO) NKB 

=* (S//SI//REL) RONIN data 

Server Analytics: VPN identified through 
application layer information in ASDF 
" Wiki: VPN Metadata in ASDF 

VPN Analytics: endpoint in TOYGRIPPE 

Router Config: new descriptive information 
coming soon to include tunnel & VPN 
information for IPs 

"'Example: Kenya VPN IP 
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Interface ROUTER © 


vntRiigmi. if 


u 




Service 

Interface: ROUTER © 


IP ROUTE: Routed By 


0 




Hardware 

Interface: ROUTER © 


fait ethernet:IP 


1 • i • 1 




Service 

Interface: SERVER ffi 


vprvIKEvl 


vfc'r 

VPNtflStt 




Service 

Interface: SERVER © 


VPN:Osco 




Hardware 

Interface: ROUTER © 


UJ 

fast ethemet:[P — 


— 


Hardware 

Interface: ROUTER (D 


unknown: IP 




Hardware 

Interface: ROUTER © 


UJ 

unknown: IP w 


c 



D«t«Soun r 2 Srrviir/Drvur t Type 2 Pri*prr1ir% 2 l ummrntt t 



ROtilN 


Hardware 

Irate rfaceROUTER 


fast 

othom«t:IP 


count- 1 


HmM serviced interface 

' on the CiSOUD^KMM^MIbOl92~. 
model "c8?C, with netmask KliiftWSSBB - 
description To DSL provider''. 

O'.'TEj 


2011 -Auo-iol 


ROtilN 


Hardware 
Irate dace :ROUTER 


fast 

*themat:lP 


count-5 




HHHH ni'CKrij by interface 

vrieta " on the Cisc^outeyjame^orabolW. 
model ”c87©“, with netmask ■ ■ and 

description ’ - To DSL prov der' 

IDuonr DlSCOf>Q'JTE> 


2011-Oct-12 


ROfllN 


Hardware 

Irate dace ROOTER 


unknown: IP 


count- 1 




. - t . 


viced by interface 

* on the Cisco router named 

1", with netmask 

lescnpoon " — To DSC provider”. 


2 on-oct-n 






<^d c 


ROtilN 


Hardware 
Irate dace ROUTER 


unknown:1P 


count- 1 

i 

>< 




IHHiH 1 '- serviced by interface 

9 ... neta“ on the Cis:o route r 
named “nnbo 192”. model "c870", with netmask 

de scnctio-i DSL provider” 

1 DISCOROUTE > 


2011-OCt-13 


ROftlN 


Service 

1 rate dace : ROUT ER 


IP 

ROUTE : Routed 
Bv 


count- 1 

i 

l e 


- ■ • •• - 

router ~BP_AGG01" 


2011-Sep-12 


ROf4lN 


Hardware 
lmtortece ROUTER 


fast 

ethemot:IP 


count- 1 

ip-BBBI 


ff. 


41 206.52.139/32 wai 1 

1 **C vrltMi ■■■!■» -n" AM 

x1:l*:Evl 


toivrd as the IP for interface 

m rm il -r n vmwd “aaKaI 1 

COurtE-SQ 

Ah 


jalYTJC I 


ftOfJlN 


Service 

irate dace :SERVER 


ypn: I»:6vl 


count-50 

‘.'l 






VP«:Ci«0 


caunt*l?5 


RQfiin 


Service 

irate dace SERVER 


VPN:Ci*CO 


count- 195 
wyg| r • • . ■ ■ • 








a 
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(U//FOUO) GNETWORK 




(S//SI//REL) Tool used to extract and correlate 
information from a variety of NAC, SSG, SSO, NTOC 
and other metadata databases 
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(s//si//rel) Keep an Eye on the Entire 
Netblock 

=* (S//SI//REL) Multiple VPNs for one 
target 

different purposes 
different clients 



(s//si//rel) GNOME Task: Private 
IP VPNs 

(S//SI//REL) Find a public IP associated with 
your private IP 

Loopback IP 
^ Another interface IP 

(S//SI//REL) Use those for your GNOME report 
and look for your private IP on the same link 

(S//SI//REL) Data presented in the VPN tab in 
GNOME report is limited 
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(u//fouo) Network 

Patterns... 



TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 





(s//si//rel) IP Patterns 

(S//SI//REL) Admins are people - lean towards 
predictability in assignment of IPs to make 
their job easier 

(S//SI//REL) IP or a combination of the octets 
could be an indication of: 
network provider 
location 

specific purpose in the network 






(s//si//rel) Client 

• Second octet indicated the network provider 




^ 20 = network provider #1 
=* 21 = network provider #2 

• Second and third octet = country 

^ 20.30 and 21.30 were the same country but different providers 

• 40 = individual target entity in that country 



(s//si//rel) Server side of the VPN: 

• Second octet indicated network provider 
^ 51= network provider #1 
^ 52 = network provider #2 
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(s//si//rel) Example #2:Network 

Patterns 

(S//SI//REL) Public IP VPN: 

Third octet = country location of this IP (three 
possible) 

Fourth octet= country location of the other side 
of the VP|\L connection 

Analyzed the opposite side of this / 24 
and identified the country for 167 4th 
octet values (out of 209) D when this 
public IP connects to a private IP we 
know the country location of the private 

IP. 





(U//FOUO) Final Thoughts... 

(S//SI//REL) Just because you don't get results doesn't 

mean the answer isn't there 

=■ If you're looking for a connection from A to B and don’t 
find it, then maybe you need to look for one from A to C 
to B 

(S//SI//REL) Try the query a different way 

=■ Widen the search either by wildcarding (if permitted) or 
by selecting a different drop-down option 

=■ Enter information in a different field 



(U//FOUO)Final Thoughts.. 

(S//SI//REL) All IPs are important until proven otherwise 
^They all serve a purpose and belong to a device 

=■ Make note of what you find even if you don't know at the 
time what it means 

(S//SI//REL) Search for data even if results are unlikely 
(S//SI//REL) Don't necessarily discard dated information 



(u/7Fbuo) Final Thoughts... 

=> (U//FOUO) Understand the data that you are searching and 
what the fields in the GUI are searching for 

=> (U//FOUO) Take an iterative approach: start searches wide, 
then narrow them down, then widen back out again 

(S//SI//REL) Bounce between the different databases and use 
the tools for every aspect of your network analysis 



^ (s//si//rel) VPN SIGDEV: 
Build the network knowledge. 

(TS//SI//REL) Dig beyond paired collection, 
PSKs and persistence 

(S//SI//REL) Discovery of the inner IPs of the 
VPN is possible in ways other than decryption 

(S//SI//REL) Investigate device IPs 

(U//FOUO) Look for patterns 

(S//SI//REL) Discover the 'N' of your VPN 



(U//FOUO) Questions? 




SSG21 Net Pursuit 
Network Analysis Center 




(S//SI//REL) 
Simplifying and 
Automating VPN 



SIGDEV 



SSG22 

Network Analysis Center 




(U//FOUO) The Ultimate Goals 



=■ (s//si//rel) Integrate VPN information into 
mainstream analytic tools and knowledge bases. 

(s//si//rel) Give analysts the ability to discover, 
develop, and track known targets using VPNs. 

(s//si//rel) Give analysts the ability to discover new 
targets using VPNs. 



(U//FOUO) 



(s//si//rel) Develop new corporate VPN tool 
(DARKSUNRISE). 

=■ Joint collaboration between CES and the NAC 
Take advantage of cloud architecture. 

=" Strive to meet the needs of the entire VPN 
community. 



(u//fouo)To The Cloud! 



(s//si//rel) Data stored in MDR-2, the 
corporate metadata repository. 

Stores one year of DNI metadata. 

Enables filtering, aggregating, and transforming 
large datasets quickly. 

Manage high data volumes. 

Answer VPN questions efficiently and easily. 



{s//si//rel) What are Some of the 
Needs of the VPN SIGDEV 

(s//si//rel) Answer VPN SIGDEV questions quickly. 

Community? 

(s//si//rel) Allow SIGDEVers to spend time analyzing data 
instead of gathering and processing the data first. 

(s//si//rel) Make VPN SIGDEV more widely understood by 
simplifying and automating the SIGDEV process. 

(s//si//rel) Robust Structure 

Allow for multiple VPN and network encryption 
pAJtow/offsr incorporation of new analytics. 



(S//SI//REL) 



What are Some of the 
Questions? 

(s//si//rel) Basic Questions 
Is my target using a VPN? 

=> What are all of the VPNs from country 
BadGuyLand? 

Tell me all of the VPNs where domain = sita*. 

Tell me all of the VPNs where the vendor ID = 
Cisco. 



(S//SI//REL) 



What are Some of the 

(S//SI//REL) Specialized^ flS? 

What are all of the VPNs that are bi-directional? 

What are all of the VPNs that are paired? 

Tell me all of the VPNs (and how many) that a particular 
VPN talks to (persistent hubs/centrality). 

What are all of the VPNs that are of interest (via Target 
Network Service)? 

What VPNs are associated to a router config? 

What are all of the VPNs that are persistent? 

For which VPNs do we have a PSK? 



(S//SI//REL) 



What are Some of the 

(S//SI//REL) SyntlQ&MBg trt0#rHation 

^ What are all of the VPNs that are bi-directional, 
persistent, and of interest? 

^ What are all of the VPNs that are paired, 
persistent, and for which we have a PSK? 

^ What are all of the VPNs from country 
BadGuyLand that are paired, associated to a 
router config, and of interest? 



(U//FOUO) DARKSUNRISE 



(U//FOUO) This is a prototype GUI. 

(U//FOUO) Comingg Fall 2012 
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